Swift: Extend swift/weak-sensitive-data-hashing, swift/weak-password-hashing sinks

swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll

@@ -54,12 +54,15 @@ private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
         // CryptoKit
         // (SHA-256, SHA-384 and SHA-512 are all variants of the SHA-2 algorithm)
         ";SHA256;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA256",
+        ";SHA256;true;hash(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA256",
         ";SHA256;true;update(data:);;;Argument[0];weak-password-hash-input-SHA256",
         ";SHA256;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA256",
         ";SHA384;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA384",
+        ";SHA384;true;hash(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA384",
         ";SHA384;true;update(data:);;;Argument[0];weak-password-hash-input-SHA384",
         ";SHA384;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA384",
         ";SHA512;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA512",
+        ";SHA512;true;hash(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA512",
         ";SHA512;true;update(data:);;;Argument[0];weak-password-hash-input-SHA512",
         ";SHA512;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA512",
         // CryptoSwift
@@ -111,6 +114,25 @@ private class DefaultWeakPasswordHashingSink extends WeakPasswordHashingSink {
   override string getAlgorithm() { result = algorithm }
 }
 
+/**
+ * A sink for weak password hashing through a call with a metatype qualifier.
+ */
+private class WeakPasswordHashingMetatypeSink extends WeakPasswordHashingSink {
+  string algorithm;
+
+  WeakPasswordHashingMetatypeSink() {
+    exists(CallExpr c |
+      c.getAnArgument().getExpr() = this.asExpr() and
+      algorithm = ["SHA256", "SHA384", "SHA512"] and
+      c.getQualifier().getType().getFullName() = algorithm + ["", ".Type"] and
+      c.getStaticTarget().getName() =
+        ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"]
+    )
+  }
+
+  override string getAlgorithm() { result = algorithm }
+}
+
 /**
  * A barrier for weak password hashing, when it occurs inside of
  * certain cryptographic algorithms as part of their design.

swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll

@@ -40,9 +40,11 @@ private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
       [
         // CryptoKit
         ";Insecure.MD5;true;hash(data:);;;Argument[0];weak-hash-input-MD5",
+        ";Insecure.MD5;true;hash(bufferPointer:);;;Argument[0];weak-hash-input-MD5",
         ";Insecure.MD5;true;update(data:);;;Argument[0];weak-hash-input-MD5",
         ";Insecure.MD5;true;update(bufferPointer:);;;Argument[0];weak-hash-input-MD5",
         ";Insecure.SHA1;true;hash(data:);;;Argument[0];weak-hash-input-SHA1",
+        ";Insecure.SHA1;true;hash(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
         ";Insecure.SHA1;true;update(data:);;;Argument[0];weak-hash-input-SHA1",
         ";Insecure.SHA1;true;update(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
         // CryptoSwift
@@ -69,10 +71,29 @@ private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
 /**
  * A sink defined in a CSV model.
  */
-private class DefaultWeakSenitiveDataHashingSink extends WeakSensitiveDataHashingSink {
+private class DefaultWeakSensitiveDataHashingSink extends WeakSensitiveDataHashingSink {
   string algorithm;
 
-  DefaultWeakSenitiveDataHashingSink() { sinkNode(this, "weak-hash-input-" + algorithm) }
+  DefaultWeakSensitiveDataHashingSink() { sinkNode(this, "weak-hash-input-" + algorithm) }
+
+  override string getAlgorithm() { result = algorithm }
+}
+
+/**
+ * A sink for weak sensitive data hashing through a call with a metatype qualifier.
+ */
+private class WeakSensitiveDataHashingMetatypeSink extends WeakSensitiveDataHashingSink {
+  string algorithm;
+
+  WeakSensitiveDataHashingMetatypeSink() {
+    exists(CallExpr c |
+      c.getAnArgument().getExpr() = this.asExpr() and
+      algorithm = ["MD5", "SHA1"] and
+      c.getQualifier().getType().getFullName() = "Insecure." + algorithm + ["", ".Type"] and
+      c.getStaticTarget().getName() =
+        ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"]
+    )
+  }
 
   override string getAlgorithm() { result = algorithm }
 }

swift/ql/src/change-notes/2026-05-26-hashing-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue where common usage patterns for `CryptoKit` weren't being recognized as hashing sinks for the `swift/weak-sensitive-data-hashing` and `swift/weak-password-hashing` queries. These queries may find additional results after this change.